September Patch Fixes Windows GDI Exploit and Other Problems

Four fixes address eight remote code execution exploits

Today, Microsoft rolled out four critical fixes, as expected, for as many as eight remote code execution exploits for various Windows applications.

The four fixes are designed to correct potential flaws in Windows Media Player, the Windows Media Encoder, Microsoft Office, and the Microsoft Windows GDI+ (graphics device interface).

One fix deals specifically with Windows Media Player 11, the popular streaming video, audio, and digital content streamer. The issue affects Windows XP Service Pack 2 and Windows XP Service Pack 3, all versions of Vista, and Windows Server 2008. Microsoft's fix resolves a privately reported hole in the Windows Media Player program in which a hacker could configure a malicious audio, video, or digital content file for entry into a system to gain unfettered access to programs.

Another update addresses Windows GDI+ and "several" privately disclosed bugs in the program, according to Redmond.

The Windows GDI+ graphics engine is part of all of Microsoft's operating systems, and is also included with Microsoft Office and Microsoft SQL Server products, among others, according to security pros. The fix applies to Windows XP, Vista, and multiple versions of Windows Server 2003 and 2008. It also touches Internet Explorer 6 and Microsoft .NET Framework versions 1.0, 1.1 and 2.0 on Windows 2000 SP4.

The Windows GDI+ bug is one that's caught the eye of analysts in this month's patch.

"There are four advisories and eight vulnerabilities this month, but it comes down to GDI+, GDI+, GDI+ ... that is what is going to be on everyone's mind," said Tyler Reguly, security engineer at San Francisco-based nCircle. "I'm sure a number of people are going to be thinking back to a similar vulnerability from December 2005. At least this time, it's not in the wild."

Reguly added that it won't take long before the exploit is in the wild and that "everyone needs to patch this vulnerability quickly."

Tom Stracener, senior security analyst for Cenzic Inc., concurred and added that he's watching this fix closely. Based on Cenzic's application security research, vulnerabilities in media players tend to range between two percent to five percent of the application vulnerability volume during any given quarter.

"Attackers often exploit client-side media player vulnerabilities because so many Web applications allow users to host media content," Stracener said. "The .NET security vulnerabilities will be key to patch for any organization that deploys applications written in this development environment."

Another of Microsoft's fixes addresses Windows Media Encoder 9 Series, a program designed to help digital content developers capture, convert, and edit both live and prerecorded audio, video, or still images. The fix is for Windows 2000 SP4, all editions of XP, Vista, Windows Server 2003, and Windows Server 2008.

The exploit of Windows Media Encoder 9 Series is most effective when deployed by a user with administrative rights. The attack is carried out via an erroneously crafted Web page with malicious code.

The last critical fix addresses wide-reaching remote-code execution vulnerabilities in several versions of Microsoft Office. The patch fixes Microsoft Office XP SP3, Microsoft Office 2003 SP2 and SP3, as well as Microsoft Office 2007 and Microsoft Office OneNote 2007.

September's Patch Tuesday releases generally address user-driven exploits in the enterprise space. IT admins should patch accordingly, explained Eric Schultze, chief technology officer at St. Paul Minn.-based Shavlik Technologies.

"In other words, focus on patching your end-user machines first, rather than the servers in your data center," Schultze said. "Since these exploits require users to perform actions on their computers, like visiting a Web site, servers in a data center are less prone to be exploited, as user's aren't typically browsing the Internet from these servers."

Additionally, as Redmond has been doing since early spring, the software giant encourages administrators, users, and tech enthusiast to check out its knowledgebase article to catch up on this month's new releases.

-- Jabulani Leffall